VulnerableApp currently has Authentication related vulnerabilites but it never had session related vulnerabilities.
The goal of this vulnerabilities is to introduce sessions to VulnerableApp.
Session management
- Session fixation (CWE-384) -- Session ID not regenerated after login. Attacker pre-sets the session cookie.
- Predictable session IDs (CWE-330) -- Session tokens generated from a sequential counter instead of a CSPRNG.
- Missing logout invalidation (CWE-613) -- Logout clears the cookie but does not destroy the server-side session.
- No login rate limiting (CWE-307) -- Unlimited login attempts with no delay, lockout, or CAPTCHA.
Password reset
5. Predictable reset token -- Token generated from timestamp or sequential ID.
6. Reset token reuse -- Token not invalidated after first use.
7. Reset without identity verification -- No email/security question check before allowing password change.
We are planning to add local SMTP server as well, if this issue is picked after that, please try adding scenarios of password reset with emails.
VulnerableApp currently has Authentication related vulnerabilites but it never had session related vulnerabilities.
The goal of this vulnerabilities is to introduce sessions to VulnerableApp.
Session management
Password reset
5. Predictable reset token -- Token generated from timestamp or sequential ID.
6. Reset token reuse -- Token not invalidated after first use.
7. Reset without identity verification -- No email/security question check before allowing password change.
We are planning to add local SMTP server as well, if this issue is picked after that, please try adding scenarios of password reset with emails.